As threat actors have gotten more sophisticated in the way they target federal information systems, the Cybersecurity and Infrastructure Security Agency issued a new directive Tuesday ordering agencies to disconnect devices they used to manage networks from the internet.
In a binding operational directive, CISA said bad actors are taking aim at “certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises.”
As a result, the federal cybersecurity agency has ordered federal executive branch agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface.
In line with the Biden administration’s broader push for zero-trust security across the government, CISA’s preference is that agencies take the zero-trust approach. CISA in April issued a second version of its Zero Trust Maturity Model.
CISA classifies “networked management devices” as those devices that reside on or support federal information systems like routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces that also connect to greater internet and use network protocols for remote management. That includes protocols like Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), and others.
CISA gives a common example of such a configuration: “An agency employs a router that manages traffic inside their network. The router’s web management interface, used by an agency administrator, is accessible via HTTPS. The management interface is reachable by an entity directly from the public-facing internet. In this example, the management interface would fit the scope of the BOD and will be subject to the Required Actions.”
“As agencies and organizations have gained better visibility of their networks and improved endpoint detection and response, threat actors have adjusted tactics to evade these protections by targeting network devices supporting the underlying network infrastructure. Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices,” the directive states.
As threat actors target misconfigured, insecure, or out-of-date network devices, the risk is even greater if they are connected to and accessible from the public internet, CISA says.
CISA will scan for such agency devices connected to the internet and notify agencies. Within 14 days of that notification or an independent discovery, agencies will be required to disconnect the devices from the internet or take corrective actions implementing zero-trust capabilities.
On top of this, CISA has directed agencies to implement technical controls for existing and newly added devices to take the same action of restricting them to an internal network or fortifying them with zero-trust access controls.
To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.